Magecart/Carbanak: Researchers from Malwarebytes have looked into the modus operandi of Magecart Group 5, noticing that their tactics are a little different from other Magecart attackers. Group 5 typically targets e-commerce merchants to load various libraries, analytics, or security seals. The attack is conducted by compromising third-party suppliers and affects hundreds of thousands of websites downstream. The script that was used for skimming by Group 5 was largely obfuscated and set to exfiltrate data such as names, addresses, credit card numbers, expiration dates, and CVV codes. Attacks like this in which thousands of stores are compromised have a higher rate of return for successful attacks, which is why it was sought after by Group 5. The group has used what researchers claimed was a bulletproof domain register in China called BIZCN/CNOBIN. This register has been used by Group 5 for many of their fake domains and used by other criminal organizations as well. Typically Group 5 has used good security when registering domains, being able to keep themselves anonymous and untraceable. In the most recent campaign, the group registered eight Top-Level Domains (TLDs) using a privacy protection service. Unfortunately for the group though, they did not put security in place on one of the eight domains that they registered. The domain, Informaer.info, was registered and still had the contact information visible on the registrant. Within that information was an email address that researchers were able to view and analyze. While analyzing this email address, they were able to build a network of other domains registered with it. While looking at the alternate email addresses, it appeared that some of the domains were previously used to register domains to deliver the Dridex banking trojan. Dridex is a banking trojan that has been around for many years, but even to this day it continues to be delivered through spam campaigns. The Carbanak group has also been around for years, primarily targeting banks and using a backdoor with the same name for espionage and data exfiltration attacks. A report from Swiss CERT in 2017 outlined how Dridex was being utilized to deliver Carbanak’s malware–essentially linking Carbanak with using Dridex. The phone number that is in the domain registry, mentioned by Brian Krebs in his blog post from 2016, links the Carbanak group to a Russian security firm.
Because it is possible to use a fake email address and phone numbers when registering a domain, attribution to a threat group based on domain details is likely never correct. There is always the possibility that the researchers were misled by information controlled by the attacker in the domain registration. Typically, it is hard for groups to be attributed to different attacks based on the techniques they use to cover their tracks. In this case, following the little pieces of evidence left behind and years’ worth of research, could link Magecart Group 5 to the Carbanak group. However, by only having small pieces of evidence, it would be far-fetched for researchers to link the groups together. What is important for defenders to understand is that, whether it is the Carbanak gang or some other group behind MG5, the attackers are resourceful and skilled at bypassing defenses, so a defense in depth strategy that includes monitoring and detection of attacker behaviors is highly recommended. As Magecart activity continues to grow, researchers must review previous attacks to find anything that may have been left behind in order to continue building attacker profiles.